A Brazilian CA trusted only by Microsoft has issued a certificate for google.com

Lol. "This is pretty bad. Someone circunvented the ban on emitting public certificates but also disrespected Google's CAA rules. Hope this CA gets banned on Microsoft OSes for good."

Yeah, this is after the certificate was issued, and my guess, used.

Also, has anyone tried to look up CT logs lately? I tried. Can get maybe a single FQDN if you look, but trying to do wildcards or name-alikes, nothing worked. Most of the CT searching websites were straight up broken. Clearly nobody is actually looking at CT logs.

CAs are a joke. There's a dozen different ways to exploit them, they are exploited, and we only find out after the fact, if it's a famous enough domain.

We could fix it but nobody gives a shit. Just apathy and BAU.

> We could fix it but nobody gives a shit. Just apathy and BAU.

We really can't fix it. You try and coordinate updates across all major (and most minor, and outdated) OSs, and websites around the world, amateur & professional, from the mom-and-pop store who don't understand any of this, to the big bank that'll take 3 years of procedure.

I have friends who work in the CA field (on the OS side). The level of alcoholism and turnover in the field is... higher than average.

Wildcards work on crt.sh:

https://crt.sh/?q=%25.ycombinator.com

Relative to all professions or relative to just IT/tech?

crt.sh gives you direct access to their postgres database, if you find the capabilities of their site lacking.

How would you fix it?

Give me a grant of a few million a year and we could do significant improvements here :P

Just wanting to add to my own comment...

crt.sh allows you to subscribe to an RSS feed for wildcard searches. We map those into a slack channel for infrastructure advisory alerts. You can also setup more aggressive alerts if something shows up unexpectedly.

It's an incredibly handy service.